Monday, January 27, 2025
Follow us On Linkedin
HomeCyber Security NewsNoFilter: Tool that Escalates Privilege Abusing Windows Filtering Platform

NoFilter: Tool that Escalates Privilege Abusing Windows Filtering Platform

Cyber Security NewsTools

Published on

By Gurubaran
NoFilter Windows Privilege escalation

Free Webinar DevSecOps Hacks

SIEM as a Service

Follow Us on Google News

Privilege escalation is a commonly employed attack vector in the Windows operating system environment.

Attackers often leverage offensive tools such as Meterpreter, CobaltStrike, or Potato tools to execute code such as “NT AUTHORITY\SYSTEM.” 

These tools typically employ token duplication and service manipulation techniques to perform attacks like LSASS tinkering.

RPC Mapper and BFE.DLL

The Deep Instinct security research team developed an RPC mapper tool for analyzing RPC methods. The BfeRpcOpenToken method, which is part of the Windows Filtering Platform, captured their attention.

The Windows Filtering Platform is a native platform that offers network traffic control capabilities based on various attributes like application, user, address, and port.

FWPUCLNT.DLL and BFE.DLL play key roles in extracting tokens. By calling FwpsOpenToken0, a handle is duplicated from BfeRpcOpenToken, effectively accessing the BFE service token. 

BfeDriverTokenQuery triggers BfeRpcOpenToken, leading to a device IO request to “WfpAle.” 

This device was created by the tcpip.sys driver becomes instrumental in the token extraction process.

Token query involves calculating a hash based on the LUID, iterating over a hash table, and identifying the appropriate entry. The token insertion function, WfpAleInsertTokenInformationByUserTokenIdIfNeeded, is explored, revealing its relation to IPSec.

Attack Techniques Developed by Researchers

Duplicating Tokens via WFP:

Duplicating tokens (Source: Deep Instinct)

By sending a device IO request, WfpAleProcessTokenReference is invoked, attaching the thread to the process space, duplicating tokens, and adding them to the hash table. Brute-forcing the LUID can lead to token duplication.

Triggering IPSec Connection

Ipsec Communication (Source: Deep Instinct)

Configuring an IPSec policy can lead to token insertion into the hash table. The Print Spooler service is exploited to achieve this through RPC calls.

Manipulating User Service

Gaining the token of another logged-on user can facilitate lateral movement. 

The OneSyncSvc service, involving RPC calls and ALPC ports, is manipulated to achieve this. While these attack techniques are designed to be stealthy, they are not undetectable. 

The “NoFilter” technique highlights a sophisticated and covert approach to privilege escalation by exploiting the Windows Filtering Platform.

Security professionals are advised to stay vigilant, monitor for suspicious activities related to the Windows Filtering Platform, and explore ways to defend against such attacks.

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

CVE/vulnerability

Critical Vulnerability in Meta Llama Framework Let Remote Attackers Execute Arbitrary Code

The Oligo Research team has disclosed a critical vulnerability in Meta’s widely used Llama-stack...
Cyber Security News

INE Security Alert: Expediting CMMC 2.0 Compliance

INE Security, a leading global provider of cybersecurity training and certifications, today announced a...
cyber security

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...
cyber security

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

Register Now

More like this

CVE/vulnerability

Critical Vulnerability in Meta Llama Framework Let Remote Attackers Execute Arbitrary Code

The Oligo Research team has disclosed a critical vulnerability in Meta’s widely used Llama-stack...
Cyber Security News

INE Security Alert: Expediting CMMC 2.0 Compliance

INE Security, a leading global provider of cybersecurity training and certifications, today announced a...
cyber security

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2024 GBHackers On Security - All Rights Reserved